發(fā)信人: Suning (蘇寧★軍刀出鞘★), 信區(qū): Security 

標(biāo)  題: NT新BUG,遠(yuǎn)程DoS攻擊 

發(fā)信站: 武漢白云黃鶴站 (Sun Oct 17 04:37:01 1999), 轉(zhuǎn)信 

  

ISS X-Force 發(fā)現(xiàn)一項(xiàng)針對(duì) Windows NT Server 4.0 終端伺服器版本所作的 DoS 

攻擊。這個(gè)安全性弱點(diǎn)讓遠(yuǎn)端使用者可以迅速的耗盡 Windows NT Terminal 

Server 上所有可用的記憶體，造成主機(jī)上所有登入者斷線，并且無法再度登入。 

-- 說明 

1. Windows NT Server 4.0 終端伺服器版本在 TCP port 3389 監(jiān)聽終端連接 

(terminal connection)，一旦某個(gè) TCP 連接連上這個(gè) port, 終端伺服器會(huì)開 

始分配系統(tǒng)資源，以處理新的客戶端連接，并作連接的認(rèn)證工作。 

2. 此處的漏洞在於：在認(rèn)證工作完成前，系統(tǒng)需要撥出相當(dāng)多的資源去處理新的連 

接，而系統(tǒng)并未針對(duì)分配出去的資源作節(jié)制。因此遠(yuǎn)端的攻擊者可以利用建立大 

量 TCP 連接到 port 3389 的方法，造成系統(tǒng)記憶體配置達(dá)到飽和。 

3. 此時(shí)伺服器上所有使用者連接都會(huì)處於 time out 狀態(tài)，而無法繼續(xù)連接到伺服 

器上，遠(yuǎn)端攻擊者仍能利用一個(gè)僅耗用低頻寬的程式，做出持續(xù)性的攻擊，讓此 

伺服器處於最多記憶體被耗用的狀態(tài)，來避免新的連接繼續(xù)產(chǎn)生。 

4. 在國外的測試報(bào)告中指出，長期持續(xù)不斷針對(duì)此項(xiàng)弱點(diǎn)的攻擊，甚至可以導(dǎo)致伺 

服器持續(xù)性當(dāng)機(jī)，除非重新開機(jī)，伺服器將無法再允許新連接的完成。 

-- 影響平臺(tái) 

Windows NT 4.0 Terminal Server Edition. 

-- 修正方式 

1. 以下是修正程式的網(wǎng)址： 

ftp://ftp.microsoft.com/bussys/winnt/winnt-public/fixes/usa/NT40tse/hotfixes 

- - -postSP4/Flood-fix/ 

[注意]：因?yàn)樾袛?shù)限制，上面網(wǎng)址請(qǐng)合并為一行。 

2. 更詳細(xì)資料請(qǐng)參考 Microsoft 網(wǎng)站的網(wǎng)址： 

http://www.microsoft.com/security/bulletins/ms99-028.asp. 

-- 影響結(jié)果----------------------------------------------------------- 

使用者可以造成 DoS 攻擊， 被 伺服器功能。 

-- 連絡(luò) TW-CERT------------------------------------------------------- 

電話 : 886-7-5250211 傳真 : 886-7-5250212 

Email : twcert@cert.org.tw 

URL : http://www.cert.org.tw/ 

PGP key: 

-----BEGIN PGP PUBLIC KEY BLOCK----- 

Version: 2.6.3ia 

mQCNAzZAFDsAAAEEANzLoQSm04piwvHUzIDDKNUx0wlDkIVNL8Be4W7Yxs5NKXjT 

SRByjr7qthvBGdK76SjoJjZWQSXqhUFcqq2o0Sd+wOSTlJnQVCNQVtL/6qUI2akQ 

MM/SneDbXaR1v8ylITj7KObIUhDUXihHB4l5W1LDesL+0w0qP0v2HGG3WSotAAUR 

sAGHtAZUd0NlcnSwAQM= 

=nvFF 

-----END PGP PUBLIC KEY BLOCK----- 

====================================================================== 

附件 : [ISS Security Advisory: Denial of Service Attack Against Windows NT 

Terminal Server] 

-----BEGIN PGP SIGNED MESSAGE----- 

ISS Security Advisory 

August 9, 1999 

Denial of Service Attack Against Windows NT Terminal Server 

Synopsis: 

The ISS X-Force has discovered a denial of service attack against 

Windows NT Server 4.0, Terminal Server Edition. This vulnerability 

allows a remote attacker to quickly consume all available memory on a 

Windows NT Terminal Server, causing a significant disruption for users 

currently logged into the terminal server, and preventing any new terminal 

connections from being successfully completed. 

Recommended Action: 

Network administrators can protect internal systems from external attack 

by creating a packet filter of the form: 

- Prevent all incoming packets destined for TCP port 3389 

If you have a legitimate need for terminal server connections to be made 

>from outside your network, you should limit access to TCP port 3389 to 

only the external IP addresses or networks that have a legitimate reason 

to connect. 

The fix for this problem is available at 

ftp://ftp.microsoft.com/bussys/winnt/winnt-public/fixes/usa/NT40tse/hotfixes 

- - -postSP4/Flood-fix/ 

The Microsoft bulletin describing this issue is available at 

http://www.microsoft.com/security/bulletins/ms99-028.asp. 

Description: 

Windows NT Server 4.0 Terminal Server Edition listens for terminal 

connections on TCP port 3389. Once a TCP connection is made to this port, 

the terminal server will utilize resources in order to handle the new 

client connection and authenticate the connection. The manner this is 

done, however, requires significant server resources before any 

authentication takes place and without any throttling of resource 

utilization. 

Specifically, a remote attacker can quickly cause a server to reach full 

memory utilization by creating a large number of normal TCP connections 

to port 3389. Individual connections will timeout, but a low bandwidth 

continuous attack will maintain a terminal server at maximum memory 

utilization and prevent new connections from a legitimate source 

>from taking place. Legitimate new connections will fail at this point 

with an error of either a connection timeout, or the terminal server has 

ended the connection. 

In testing, a long running attack of this type has been able to 

sporadically crash the terminal server executable and permanently maintain 

the machine at full memory usage without allowing any new terminal server 

connections until the machine was rebooted. 

Additional Information: 

This vulnerability was primarily researched by David J. Meltzer of the ISS 

X-Force. 

________ 

About ISS: 

ISS leads the market as the source for e-business risk management solutions, 

serving as a trusted security provider to thousands of organizations 

including 21 of the 25 largest U.S. commercial banks and more than 35 

government agencies. With its Adaptive Security Management approach, ISS 

empowers organizations to measure and manage enterprise security risks 

within Intranet, extranet and electronic commerce environments. Its 

award-winning SAFEsuite(r) product line of intrusion detection, 

vulnerability management and decision support solutions are vital for 

protection in today's world of global connectivity, enabling organizations 

to proactively monitor, detect and respond to security risks. Founded in 

1994, ISS is headquartered in Atlanta, GA with additional offices 

throughout the U.S. and international operations in Australia/New Zealand, 

Belgium, France, Germany, Japan, Latin America and the UK. For more 

information, visit the ISS Web site at www.iss.net or call 800-776-2362. 

Copyright (c) 1999 by Internet Security Systems, Inc. Permission is 

hereby granted for the redistribution of this Alert electronically. It is 

not to be edited in any way without express consent of the X-Force. If 

you wish to reprint the whole or any part of this Alert in any other 

medium excluding electronic medium, please e-mail xforce@iss.net 

forpermission. 

Disclaimer 

The information within this paper may change without notice. Use of this 

information constitutes acceptance for use in an AS IS condition. There 

are NO warranties with regard to this information. In no event shall the 

author be liable for any damages whatsoever arising out of or in 

connection with the use or spread of this information. Any use of this 

information is at the user's own risk. 

X-Force PGP Key available at: http://xforce.iss.net/sensitive.php3 as 

well as on MIT's PGP key server and PGP.com's key server. 

Please send suggestions, updates, and comments to: X-Force xforce@iss.net 

of Internet Security Systems, Inc. 

-----BEGIN PGP SIGNATURE----- 

Version: 2.6.3a 

Charset: noconv 

iQCVAwUBN67ziDRfJiV99eG9AQFDggP+N4t+n/UhAxGiBRJDGxjFeJSgfbjbDMd7 

m6BVFhe4RSDsmLbKoHnK+8J9bM5RoiWMiY6pMe2YUcfQfRySwz3nfmnzpxXjoUmv 

Tv7aWiSvqcc6OVHS7/7tKMzxL49g/6PFPUVqRDhkKrrWbdhTW9uKejn77OfY9l2r 



8ckrqQ4k3l4= 

=4Kwx 

-----END PGP SIGNATURE----- 

====================================================================== 

本文由綠色兵團(tuán)成員原創(chuàng),如要轉(zhuǎn)載請(qǐng)保持文章的完整性 

  

-- 

    心事浩茫連廣宇,于無聲處聽驚雷